Update a Secret in a Vault

When updating SSL certificates in a vault, you will need to create a new version of your secret. After updating the secret, you update your instance to start using the new secret.

Note

To update a custom endpoint's SSL certificate:

  1. Open the OCI Console.
  2. Update the SSL certificate.

    The steps for updating a certificate will depend upon if you have already created a vault in your tenancy.

    • If you are already managing the SSL certificates in a vault yourself, meaning you have already created a vault, perform the following steps to create a new version of the secret in your vault and update the certificate:
      1. Open the vault containing the certificate you want to update, then select the Secrets tab.
      2. In the Secrets tab, select the Versions tab, and then select Create Secret Version.
      3. In the Create Secret Version page, paste in the secret certificate JSON in the Secret Contents field.
        Note

        When creating the secret certificate JSON, make sure the key and certificate are correct, and the JSON is correctly formated.

        It is strongly recommended that you generate the certificate JSON from the Linux/Unix command line, or Unix utilities, to ensure that the line endings are encoded correctly. Incorrect line endings will result in an error. For details on the correct certificate formatting, see Configure a Vault for a Custom Endpoint.

        Click Create Secret Version.

        After you create the new version, the Versions table is updated, and the new version is labeled "Current" in the Status column.



    • If you have not been managing the SSL certificates in a vault yourself, meaning you have been using a vault created and managed by Oracle, you need to create a new vault in your tenancy before you can update your certificates.

      For example, Oracle Digital Cloud Service customers, after they have been migrated to their own tenancy, are responsible for managing their certificates, and might need to create a vault in their tenancy before they can update their certificates.

      Perform the following steps to create a vault and update the certificates:

      1. Create a vault and secret for the hostname used for your primary endpoint.

        You can see the details of your instance's primary endpoint in the Custom endpoint pane in the Visual Builder Instance details page.

        For the steps to create a vault and secret, see Configure a Vault for a Custom Endpoint.

  3. Update your instance.

    You need to update your instance to start using the updated secret.

    • If you created a new version of the secret in your vault for a primary endpoint:

      1. Open the Visual Builder Instance details page.

        You will see a notification that a new secret has been created, and that you need to update your instance.

      2. From the Actions menu, select Edit to open the Edit visual builder instance panel.
      3. In the Edit visual builder instance panel, click Save Changes to update the instance with the new version of the secret.

        You do not need to change any of the custom endpoint settings.

    • If you created a new vault and secret for a primary endpoint:

      1. Open the Visual Builder Instance details page.
      2. From the Actions menu, select Edit to open the Edit visual builder instance panel.
      3. In the Custom endpoint pane, select the new vault and secret from the dropdown lists.

        Do not change the hostname or compartment.

      4. Click Save Changes to update the instance with the new vault and secret.
    • If you created a new version of the secret in the vault for an alternate endpoint:

      After creating a new version of the secret, you need to update the alternate endpoint for the new version. For alternate endpoints, you need to use the update command from the command line. You can run the command in the OCI Console's Cloud Shell editor.

      When you run the update command, you don't need to explicitly specify the secret version because it is automatically updated to the most recent version.

      1. Open the Visual Builder Instance details page.
      2. Select the Developer tools menu in the header, and then select Cloud Shell to open the Cloud Shell editor.

        The Cloud Shell editor opens in the bottom of your browser window:



        It might take a minute for the editor to initialize.

      3. In the shell editor, check if the shell is working correctly by entering the following command at the prompt:
        oci visual-builder vb-instance get --id <OCID>

        For the id parameter, you need to provide the instance's OCID, which is listed in the Details tab. To copy the instance's <OCID>, click Copy next to the OCID.

        The shell editor is context-sensitive, so the command should return details about the instance open in the details page.

      4. Run the update command with the --alternate-custom-endpoints parameter to update the alternate endpoints in the instance.
        Note

        When you run the command, confirm you have included the details of every alternate endpoint in the instance in the payload. If you omit an alternate endpoint in the payload, that endpoint is deleted.

        In the update command, you need to provide the instance's OCID for the id parameter, and include a JSON array containing the details of every alternate endpoint in the instance as the payload of the alternate-custom-endpoints parameter:

        • If you have any alternate endpoints using a vault to store certificates, you need to include in the payload the hostname and the certificate secret OCID of each endpoint:

          --alternate-custom-endpoints '[{"hostname":"hostname.com","certificateSecretId":"<SECRET_ID>"}]'
        • If you have any alternate endpoints using WAF for certificates, you only need to include the hostname of the alternate endpoints in the payload:

          --alternate-custom-endpoints '[{"hostname":"hostname.com"}]'

        For example, if you have two alternate endpoints in your instance, and you want to update one of them, the update command might look something like this:

        oci visual-builder vb-instance update --id <VB_INSTANCE_OCID> 
        --alternate-custom-endpoints '[{"hostname":"hostname.com","certificateSecretId":"<SECRET_ID>"},
        {"hostname":"hostname1.com","certificateSecretId":"<SECRET_ID>"}]'

        Notice that although in this case you are only updating one endpoint, the alternate-custom-endpoints parameter payload contains the details for the instance's two alternate endpoints (hostname.com and hostname1.com).